The OAuth 2.0 specification is a flexibile authorization framework that describes a number of grants (“methods”) for a client application to acquire an access token (which represents a user’s permission for the client to access their data) which can be used to authenticate a request to an API endpoint.

The specification describes five grants for acquiring an access token: authorization code grant, implicit grant, resource owner credentials grant, client credentials grant and Refresh token grant. In this post I’m going to describe each of the above grants and their appropriate use cases.

He then walks through each of these grant types, providing a brief summary of what they're for and the data they must include as well as links to more information. The post wraps up with a flowchart that helps you decide which of the grant types to use in your system and a few other questions to answer to find the right fit.